Page 1 of 1
Check_http: Cannot make SSL connection.
Posted: Mon Jul 15, 2019 4:19 pm
by vmesquita
I am trying to add a check_http against a SSL server but I am getting this:
Code: Select all
./check_http -H vx933 -S -p 8543 -v
CRITICAL - Cannot make SSL connection.
SSL initialized
I read some older posts, and some suggested running curl which I did, but got this:
Code: Select all
curl https://vx933:8543
curl: (35) TCP connection reset by peer
Can you advise.
Re: Check_http: Cannot make SSL connection.
Posted: Mon Jul 15, 2019 4:42 pm
by cdienger
'reset by peer' would indicate that there is a something sending a reset packet when the client attempts to connect. Could be a firewall or the vx933 server itself. Make sure port 8543 is up, listening, accepting connections, and that there isn't a firewall blocking it.
Re: Check_http: Cannot make SSL connection.
Posted: Tue Jul 16, 2019 12:32 pm
by vmesquita
cdienger wrote:'reset by peer' would indicate that there is a something sending a reset packet when the client attempts to connect. Could be a firewall or the vx933 server itself. Make sure port 8543 is up, listening, accepting connections, and that there isn't a firewall blocking it.
But telnet seems to work:
telnet.png
Does it make sense with the hipotesis of firewall block?
Re: Check_http: Cannot make SSL connection.
Posted: Tue Jul 16, 2019 2:28 pm
by cdienger
Some firewalls can prevent a SSL connection over non standard ports which could explain why you're able to make a TCP connection with telnet.
A tcpdump taken on both the XI server and vx933 server while trying to run the curl command and plugin can shed some light on what's happen. On the XI server this can be done with:
Code: Select all
yum -y install tcpdump
tcpdump -s 0 -i any port 8543 -w ouput.pcap
Use CTRL+C to stop the tcpdump after reproducing the problem. Output.pcap can be review with Wireshark. Feel free to PM me a copy if you'd like to have me review it.
Re: Check_http: Cannot make SSL connection.
Posted: Thu Jul 18, 2019 12:17 pm
by cdienger
There does appear to be something between the two machines that is closing connection prematurely.
-The XI capture shows two attempt to connect but the remote side capture only shows one attempt
-The one connection that is seen on both traces doesn't show the same traffic. On the XI side we see the XI server sending a "Client Hello", but this is never received on the destination side. The connection on both ends is terminated with a RST packet.
Try running the check_plugin command with the "--sni" option. Some devices may require this option.
What OS is XI installed on?
Re: Check_http: Cannot make SSL connection.
Posted: Thu Jul 18, 2019 3:38 pm
by vmesquita
Hi cdienger,
I tried --sni with no success. Nagios XI is running on CentOS 7. Anything else I could try?
Re: Check_http: Cannot make SSL connection.
Posted: Thu Jul 18, 2019 4:44 pm
by cdienger
At this point I would be looking for devices between the two machines that could be filtering the traffic.